Blacklisting causes funds to be permanently frozen.
Summary
Tokens like USDC,JPYC and USDT can blacklist addresses, causing funds to be frozen.
Vulnerability Details
According to line 32 of Distributor.sol,USDC/JPYC/USDT are all meant to be used within the SPARKN ecosystem.
However, all these tokens contain a variation of a blacklist function.
This means that when the STADIUM_ADDRESS gets blacklisted by any of the token issuers, the contests with those tokens deposited in them will be frozen.
The problem lays in the _distribute() function in Distributor.sol.
When the STADIUM_ADDRESS becomes blacklisted, the call to _comissionTransfer(erc20) within the _distribute() function in Distributor.sol will always fail, resulting in the error ProxyFactory__DelegateCallFailed(). This means every proxy contract holding said tokens will be bricked.
Here's a gist of a POC I wrote.
Impact
High.
Tools Used
Manual review
Recommendations
Create a
emergencyWithdraw()function in theDistributor.solthat doesn't have a call to_comissionTransfer(erc20). It should transfer all the specified tokens and it should be only callable by the owner of theProxyFactory.sol.
The address of the owner ofProxyFactory.solshould be stored inDistributor.solduring the constructor. You can then useOWNER_PROXY_FACTORY == msg.senderto validate if it's the owner of theProxyFactory.solthat is calling theemergencyWithdraw()function.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.